I've been away from AO for a while, busy with some stuff going on lately. I have a question that fits best here, so I'm back.

Here's the situation. Recently, my organization is questioning the value of Penetration Testing. It turns out the people asking didn't really know what it was to begin with. I am in the process of explaining it to these folks now. However, the questions keeps coming up; "What is the value added?" "Why should we continue?" "Who should be doing it?"

So I have a few questions to the mighty AO:

Why do you pen test?
Why don't you pen test?
What is the value? Who (what functions) should be doing the testing?

Why do you pen test?
Why don't you pen test?
What is the value? Who (what functions) should be doing the testing?

Why - Audit requirement!Why not - see above.Whats the value - see above, also, this is part of our audited SoX process.Who - Reliable third party, last one I had done was from IBM.

Cheers:

July 22nd, 2006, 06:45 AM

Computernerd22

Quote:

So I have a few questions to the mighty AO:

Why do you pen test?
Why don't you pen test?
What is the value?
Who (what functions) should be doing the testing?

1.) To keep my system 'secure' and up-to-date at all times. Making sure I can find no vulnerabilites to exploit on my machine. Also, making sure I cannot exploit the vulnerabilites that I happen to find. Execute the payload, install a kernel rootkit and a user rootkit, etc...

2.)

3.) Value? Is to learn. I figure if I can hack my network/box(s) so can anyone else. I want to Keep my system from being breached. Worse case scenrio, I figure even if they do get in ALL DATA on my system is using encryption EFS provided by NTFS. Plus its fun.

July 22nd, 2006, 11:40 AM

thehorse13

Quote:

Why do you pen test?
Why don't you pen test?
What is the value?
Who (what functions) should be doing the testing?

1) Regulatory compliance line item (PCI, HSPD-12 and HIPAA in my case) for risk assessment. The GREATEST risk is the unknown. Unless you pen test, you don't know if there are vulnerabilities. Ask your management chain if they are willing to sign off on an unknown risk. Watch how fast the attitude changes.

2) N/A

3) See #1 and also management is engaged in the due care concept. If your managers don't perform this cornerstone security task and by chance data is lost from your organization, your management chain can be nailed for not using due care. See the laws on this via google. I'm sure your bosses don't like the idea of visiting the salad man in prison.

4) We use a tier approach to this. First, we ask the vendor for a list of known issues (if they will give it up). Second, we have a third party, BAE is my choice, run the tests. Then we have internal folks, me included, take a crack at it. In the end, we all compare notes. This yields the most effective results but of course costs the most.

--TH13

July 22nd, 2006, 11:42 AM

IKnowNot

Some links I found when trying to explain ausits and pen testing to people:

The value difference in Internal/External Audits (your own employees or an outside company) and Internal/External Audits (Let then come at the network from outside or from inside)..

I'm not a big fan of having internal employees audit a network... but there is a big IF to that.... if they are the network department... If you have a security group that is in no way, shape or form related to the network department... then it's a great idea... but having the network department do the pentest (I've known companies that do this) is useless... Obviously they are going to secure the systems as much as they can and as best they can... so they aren't going to get into them...

I like TH13's method of the outside company and an internal group (which I believe in his case is seperate from the network group... corect TH13? )...

Now the other one.. Do you get them to internally or externally audit your network... So many places go external only... These days more threats come from internal sources...

The it comes down to what do you need.

Some pen test companies look for one avenue into the network and then walk away..
Others will look for every avenue they can uncover..
Some will help you with policy review.. others won't...
Do they require network topology and policy before they'll start
etc..

You have to really know what you want and why you want it before you get started... especially when everyone these days thinks they can turn around and do pen testing... It's humourous to watch the Security Focus Pen Test mailing list... everyone second post is... I'm doing a pen test for company X what should I do... that's the completely wrong approach... You don't just do a pen test... I feel so for the companies hiring these people... Then again... With places like VulnerabilityAssessment.co.uk releasing the Penetration Testing Framework... only bad things are to come... that framework is the biggest PoS I've ever seen...

Peace,
HT

July 23rd, 2006, 10:10 PM

Deeboe

Quote:

Originally posted here by HTRegz I'm not a big fan of having internal employees audit a network... but there is a big IF to that.... if they are the network department... If you have a security group that is in no way, shape or form related to the network department... then it's a great idea... but having the network department do the pentest (I've known companies that do this) is useless... Obviously they are going to secure the systems as much as they can and as best they can... so they aren't going to get into them...

Do you still feel this way if it is another group within the company doing the Pen Test? For example, if the auditing department worked as an independant function of Finance instead of IT?

Good discussion points so far. Keep 'em coming! Thanks!

-Deeboe

July 23rd, 2006, 11:59 PM

HTRegz

Quote:

Originally posted here by Deeboe Do you still feel this way if it is another group within the company doing the Pen Test? For example, if the auditing department worked as an independant function of Finance instead of IT?

Good discussion points so far. Keep 'em coming! Thanks!

-Deeboe

I believe I said that right in the quote... If you have a seperate and distinct group then it's fine... but a lot of places will have the same group that deploys and configures the network also do it's audits and that doesn't work overly well..

July 24th, 2006, 11:32 PM

thehorse13

Quote:

I like TH13's method of the outside company and an internal group (which I believe in his case is seperate from the network group... corect TH13? )...